Encryption Types

Kerberos supports several types of encryption for securing session keys and the tickets. The type used for a particular ticket or session key is automatically negotiated when you request a ticket or a service.

How to... Learn about...

Weak Encryption Types

In the table of Encryption Types below, some encryption types are noted as weak. Most of them are encryption types that used to be strong but now, with more computing power available, are considered weak and therefore undesirable. However, they are still sometimes used for backwards compatibility. If Kerberos is installed in a network that contains some older machines running operating systems that do not support the newer encryption types, administrators can choose to allow the weaker encryption when connecting to the older machines.

Back to Top

View Encryption Types

  1. Click the Options tab and find the View Options panel.
  2. Click the Encryption Type checkbox to select it. This opens the Encryption Type column in the main window, showing the encryption type associated with each of your tickets and session keys.
    How to: Use Ticket Options Panel
  3. Click and drag the line to the right of the Encryption Type column header to widen the column enough to see both the ticket and session key.
  4. Click the blue triangle to the left of a principal name to see all tickets and session keys issued to that principal. Each ticket and key will have an entry in the Encryption type column.
    How to: View Tickets

Back to Top

Supported Encryption Types

Encryption Type Description
des- The DES (Data Encryption Standard) family is a symmetric block cipher. It was designed to handle only 56-bit keys which is not enough for modern computing power. It is now considered to be weak encryption.
  • des-cbc-crc (weak)
  • des-cbc-md5 (weak)
  • des-cbc-md4 (weak)
des3- The triple DES family improves on the original DES (Data Encryption Standard) by using 3 separate 56-bit keys. Some modes of 3DES are considered weak while others are strong (if slow).
  • des3-cbc-sha1
  • des3-cbc-raw (weak)
  • des3-hmac-sha1
  • des3-cbc-sha1-kd
aes The AES Advanced Encryption Standard family, like DES and 3DES, is a symmetric block cipher and was designed to replace them. It can use multiple key sizes. Kerberos specifies use for 256-bit and 128-bit keys.
  • aes256-cts-hmac-sha1-96
  • aes128-cts-hmac-sha1-96
rc4 or
arcfour
The RC4 (Rivest Cipher 4) is a symmetric stream cipher that can use multiple key sizes. The exportable variations are considered weak, but other variations are strong.
  • arcfour-hmac
  • rc4-hmac
  • arcfour-hmac-md5
  • arcfour-hmac-exp (weak)
  • rc4-hmac-exp (weak)
  • arcfour-hmac-md5-exp(weak)

Back to Top

Related Help